Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover
Sansec disclosed a critical unrestricted file upload vulnerability in Magento's REST API (dubbed PolyShell) affecting all versions up to 2.4.9-alpha2, allowing unauthenticated attackers to upload arbitrary executables disguised as images and achieve remote code execution or account takeover via stored XSS. Adobe fixed the issue in the 2.4.9 pre-release branch (APSB25-94), but current production versions lack an isolated patch. No active exploitation has been reported.
Summary
Sansec disclosed a critical unrestricted file upload vulnerability in Magento's REST API (dubbed PolyShell) affecting all versions up to 2.4.9-alpha2, allowing unauthenticated attackers to upload arbitrary executables disguised as images and achieve remote code execution or account takeover via stored XSS. Adobe fixed the issue in the 2.4.9 pre-release branch (APSB25-94), but current production versions lack an isolated patch. No active exploitation has been reported.
Full text
Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover Ravie LakshmananMar 20, 2026Web Security / Vulnerability Sansec is warning of a critical security flaw in Magento's REST API that could allow unauthenticated attackers to upload arbitrary executables and achieve code execution and account takeover. The vulnerability has been codenamed PolyShell by Sansec owing to the fact that the attack hinges on disguising malicious code as an image. There is no evidence that the shortcoming has been exploited in the wild. The unrestricted file upload flaw affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2. The Dutch security firm said the problem stems from the fact that Magento's REST API accepts file uploads as part of the custom options for the cart item. "When a product option has type 'file,' Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename," it said. "The file is written to pub/media/custom_options/quote/ on the server." Depending on the web server configuration, the flaw can enable remote code execution via PHP upload or account takeover via stored XSS. Sansec also noted that Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94, but leaves current production versions without an isolated patch. "While Adobe provides a sample web server configuration that would largely limit the fallout, the majority of stores use a custom configuration from their hosting provider," it added. To mitigate any potential risk, e-commerce storefronts are advised to perform the following steps - Restrict access to the upload directory ("pub/media/custom_options/"). Verify that nginx or Apache rules prevent access to the directory. Scan the stores for web shells, backdoors, and other malware. "Blocking access does not block uploads, so people will still be able to upload malicious code if you aren't using a specialized WAF [Web Application Firewall]," Sansec said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Adobe Commerce, API Security, cybersecurity, Magento, Malware, remote code execution, Vulnerability, web security, xss Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures
Indicators of Compromise
- cve — APSB25-94